[j-nsp] out-bound anti-spoofing rules when using community-based routing

Mark Tinka mtinka at globaltransit.net
Thu Jan 24 20:09:02 EST 2008


On Friday 25 January 2008 03:00, Peter E. Fry wrote:

>   I'm curious myself...
>   I guess URPF doesn't fit your needs?  I'm not sure how
> a community match would differ a whole lot.  Sadly
> enough, the best method I can think of offhand would be
> to run two filters -- one general and one specific to the
> customer link.

This is how we do it as well.

Have a general outbound prefix-list to BGP customers that's 
secure enough, but if a customer needs to use your 
automated blackholing BGP community, you may build a more 
specific one for them that includes only their prefixes, so 
you don't have your "evil" customers potentially 
blackholing routes they do not own.

The configuration could grow, but perhaps automating this 
process (via RPSL, and making sure your customers "talk" to 
at least one RR) is one way forward.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/juniper-nsp/attachments/20080125/f0de8333/attachment.bin 


More information about the juniper-nsp mailing list